As an admin, you can create rules that tell Gmail how to handle messages with certain words that you specify. These rules can be applied to incoming or outgoing messages, or both. Rules can instruct Gmail to reject or quarantine messages, or to modify messages before delivering them. For example, you might create a rule that rejects outbound messages that include sensitive information, indicated by the word "confidential." Or, you might want to quarantine incoming messages that have objectionable words that you specify in the rule.
Use the Objectionable content setting by creating a word list, and then specifying the actions to take on messages with matching words.
Before you begin
When you create an objectionable content rule, keep in mind:
- Content matching is on single words only. Content matching on strings isn't supported. A rule can have more than one word for content matching.
- Words aren't case-sensitive. For example, if you add BAD to the custom word list, messages with these words are all treated as a match: BAD, bad, and Bad.
- Only complete words are supported when the rule is applied to messages. For example, if you add bad to the custom word list, a message with the word badminton isn't treated as a match.
- Word matching is done on the message subject, body, and any text attachments.
- Using a word inside square brackets, for example [BAD], isn't supported. The rule won't have any effect, even if the text in the rule, including the brackets, matches content in messages. If you need a rule to trigger for text enclosed in square brackets, create a content compliance rule to trigger on the regular expression
How settings are applied
Unless you change the options, the rules apply to all users in an organizational unit. You can disable in a child organization any rules they inherit from a parent organization. You can also add multiple rules to each organization.
When you set up multiple rules, what happens to a message depends on the conditions you set and which rule has precedence. For details, read How multiple settings affect message behavior.
Set up an objectionable content rule
Tip: We recommend that you test new rules to make sure they work correctly for your organization. For more information, see Best practices for faster rules testing.
In the Admin console, go to Menu AppsGoogle WorkspaceGmailCompliance.
- Scroll to the Objectionable content setting in the Compliance section, point to the setting, and click Configure or Add another rule.
- In the Add setting box, take these steps:
Setting options What to do Required: Enter a name or description for the new rule. If this field is empty, you can't save the new rule. Email messages to affect
Select which messages that you want to apply the rule to:
- Inbound—Incoming messages from senders outside your organization.
- Outbound—Outgoing messages sent by people in your organization.
- Internal-Sending—Outgoing messages from internal senders. Messages from internal senders have your organization's domain or subdomain in the From field.
- Internal-Receiving—Incoming messages from internal senders. Messages from internal senders have your organization's domain or subdomain in the From field.
Add words you want to search for in each message
- Check the Custom objectionable words box.
- Under Enter words, enter words that trigger the rule, following these guidelines:
- Separate individual words with a comma.
- Strings aren't supported.
- To trigger the rule, at least one of the words you enter here must be in the message body, subject, or attachments.
If the above expressions match, do the following
Select the option for handling messages that trigger the rule:
- Reject message—Rejects the message before reaching the recipient. For matching messages, no other routing or compliance rules are applied. Gmail automatically adds an SMTP rejection code, such as 550 5.7.1. The SMTP (email) standard requires this, and it can't be deleted. Optionally, enter a custom bounce message under Customize rejection notice to let senders know why their message was rejected.
- Quarantine message—Sends the message to an admin quarantine, where you can review the message before you deliver it or reject it. This option is only available for the Users account type. For details, see Account types to affect. To notify senders when their messages are quarantined, check the Notify sender when mail is quarantined (onward delivery only) box.
- Modify message—Add headers, remove attachments, change the envelope recipient, add more recipients, and change the route before delivering the message.
Modify message options
If you selected Modify message above, select options to specify how you want matching messages modified before they're delivered:
Add X-Gm-Original-To header
Add a header tag if the recipient is changed, so the receiving server knows the original envelope recipient. An example of the header tag format is X-Gm-Original-To: email@example.com.
Add X-Gm-Spam and X-GM-Phishy headers
Add headers that indicate message spam and phishing status. Administrators for a receiving servers use this information to set up special rules for managing spam and phishing messages. For details, go to Add spam headers setting to all default routing rules.
Add custom headers
Add custom headers to messages affected by this setting. For example, you can add a header that matches the description you entered for the setting. Custom headers can help you troubleshoot routing settings and message delivery.
Prepend custom subject
Add custom text to the beginning of the subject line for specified messages. For example, enter Confidential for sensitive messages. If a message with the subject Monthly report is affected by this setting, the subject line is updated to: [Confidential] Monthly report.
Change route and Also reroute spam
Change the route—Change the message destination from the default Gmail server to a different mail server. Before you can change the route, you must add the server by following the steps in Add mail servers for Gmail email routing.
Also reroute spam—This option is available when you select Change the route. Blatant spam is dropped at delivery time. The Also reroute spam option routes any additional email you mark as spam. Leave the box unchecked to route normal messages, but not spam. Admin console email settings (for example, a list of preauthorized senders) overrides spam settings.
- Suppress bounces from this recipient—Prevent bounced messages from being rerouted to the configured mail route. For example, you might want to prevent bounced messages from being rerouted to an automated system. Leave this box unchecked if you want the receiving mail system to get bounced messages, for example so senders know when their message isn't delivered.
Change envelope recipient
The message bypasses the original recipient’s mailbox and goes to the new recipient. Change the envelope recipient in one of these ways:
- Replace the recipient’s entire email address—After Replace recipient, enter the full email address, such as firstname.lastname@example.org.
- Replace username—To change just the username of the recipient's email address and keep the domain the same, before @existing-domain, enter the username, such as user.
- Replace domain—To change just the domain of the recipient's email address and keep the username the same, after existing-username@, enter the domain, such as solarmora.com.
An MX lookup on the new recipient's domain determines the destination server. Or, if you’re using the Change the route control, the specified route determines the destination server. To Bcc additional recipients, use the Add more recipients option, described below.
Bypass spam filter for this message
Deliver incoming messages to recipients even if the spam filter identifies them as spam. This option applies only to incoming messages. You can’t bypass spam filters for outgoing messages. Note: This option is not available for the Groups account type. For details, go to Account types to affect.
Remove attachments from message
To remove any attachments from messages, select this option. You can also add text to let recipients know that attachments were removed.
Add more recipients
- To set up dual or multiple delivery, check the Add more recipients boxclick Add .
- To add individual email addresses, select Basic from the listclick Save.
- (Optional) To add more addresses, click Add .
- (Optional) To choose advanced options for your secondary delivery, select Advanced from the list.
You can change the envelope recipient, add headers, prepend a custom subject, and remove attachments for secondary deliveries. Note: The Do not deliver spam to this recipient advanced option isn't supported for the Groups account type.
When you add recipients, keep in mind:
- Rules have a limit of 100 additional recipients.
- Settings for the primary delivery also apply to the secondary deliveries.
- For secondary deliveries, the Do not deliver spam to this recipient and Suppress bounces from this recipient boxes are checked by default.
- Adding additional recipients creates a message for each added recipient. Advanced Gmail settings apply to each message.
Encryption (onward delivery only)
By default, Gmail tries to deliver messages using Transport Layer Security (TLS). If secure transport isn’t available, the message is delivered over a nonsecure connection. Select encryption options for messages affected by the setting:
- Require secure transport (TLS)—Require all messages meeting the conditions in the setting to be sent over a secure connection. If TLS isn't available on the sending or receiving side, the message won't be sent.
- Encrypt message if not encrypted—Encrypts messages with S/MIME. If you have an Enterprise or Enterprise for Education account, you can also bounce messages or require that messages can only be sent if they are S/MIME encrypted. For details, go to Enhance message security with hosted S/MIME.
Account types to affect (optional)
Depending on the message action you chose and the type of organizational unit you’re configuring, some account types might not be available.
Select one or more account types that the setting applies to:
- Users (default)—The setting applies to provisioned users. For sending and outbound mail, the setting is triggered when your users send email. For receiving and inbound mail, the setting is triggered when your users receive email.
- Groups—The setting applies to groups set up in your organization. For sending and outbound mail, the setting is triggered when your groups forward email or summaries to members. For receiving and inbound mail, the setting is triggered when your groups receive email.
- Unrecognized/Catch-all—The setting is triggered when your organization receives email that doesn’t match one of your provisioned users. This selection only applies to received and inbound email.
Note: The Groups and Unrecognized/Catch-all account types don’t apply to these controls:
- Add X-Gm-Spam and X-Gm-Phishy headers
- Bypass spam filter for this message
- Also reroute spam
When you're finished, go to Add and save the setting.
Envelope filter (optional)
To affect only specific envelope senders and recipients, set up an envelope filter:
- At the bottom of the Add setting window, click Show options.
- Check one or both of these options:
- Only affect specific envelope senders
- Only affect specific envelope recipients
- From the list, choose an option:
- Single email address—Enter the complete email address for a user.
- Pattern match—Enter a regular expression to specify a set of senders or recipients in your domain. For example:
Learn more about Guidelines for using regular expressions.
- Group membership—Select one or more groups in the list. For envelope senders, this option only applies to sent mail. For envelope recipients, it only applies to received mail. If you haven't, first create the group.
Note: This option affects group members, and members of child groups. For example, if Group B is a member of Group A, this option affects members of Group A and Group B.
- At the bottom of the Add setting box, click Save. Changes can take up to 24 hours but typically happen more quickly. Learn more
Set up rules to require S/MIME signature and encryption with hosted S/MIME.
Google, Google Workspace, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.